boardstep @1.1.4

Summary

The package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On npm install , the installer's machine fetches and silently executes an opaque attacker-controlled binary.

Source: amazon-inspector (d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c)